October 15, 2019

New Challenges In Preparing For And Defending Against Breach Litigation

Jon Knight

Boies Schiller Flexner LLP

Dan Gerken

VERTIV

Mike Borgia

Aon’s Cyber Solutions (former Stroz Friedberg)

New Challenges In Preparing For And Defending Against Breach Litigation

This Is A Conversation About Risk

• Increased risk of litigation and government investigation following a data breach and the factors driving that risk.

• Practical, internal conversations to identify risks and opportunities to avoid and defend against breach disputes with business partners.

• Adapting your infrastructure and policies to reduce risk.

Questions + Contact

Jon Knight Attorney Boies Schiller Flexner LLP 202-237-2727 jknight@bsfllp.com

Dan Gerken Associate GC, Americas Vertiv 614-841-5922 dan.gerken@vertiv.com

Mike Borgia Vice President Aon’s Cyber Solutions (formerly Stroz Friedberg) 617-259-9911 mike.borgia@strozfriedberg.com

The New Normal: Increased Risks

Stemming From A Data Breach

The New Normal: Increased Risk

0

200

400

600

800

1000

2017 2018 2019

Publicly Reported Data Breaches

Source: Privacy RightsClearinghouse

The New Normal: Increased Risk

2223242526272829

2016 2017 2018 2019

Percent of Data Breaches Due to Unintentional Disclosure

The New Normal: Increased Risk

010203040506070

2016 2017 2018 2019

Percentage of Data Breaches Due To External Malicious Activity

The New Normal: Increased Risk

0123456

2016 2017 2018

Percentage of Data Breaches Prompting Class Action Litigation

The New Normal: Increased Risk

Increased Risk Courts Will Not Grant a Motion to Dismiss Circuits With Relaxed Standing

Requirements Circuits With More Strict Standing

Requirements

• Third • Sixth • Seventh • Eighth • Ninth • D.C.

• Second • Fourth

The New Normal: Increased Risk

Relaxed Standing Requirement – A Case Study In Re: U.S. Office of Personnel Management Data Security

Breach Litigation

• “Risk of future identity theft” found based on the nature of the compromised data.

• Confirmed that “a substantial risk of harm exists already, simply by virtue of the hack and the nature of the data that the plaintiffs allege was taken.”

• In other words, plaintiffs need not show fraudulent charges were made or other injuries. Injury is essentially presumed based on the type of data taken.

The New Normal: Increased Risk

The Ninth Circuit Is Where The Action Is Frank v. Gaos: on remand to the Ninth Circuit from the Supreme Court to consider standing. The privacy question is whether including information about a user’s search terms in the HTTP referrer header constitutes a violation of several Federal laws. The Supreme Court has asked the lower court to consider whether the plaintiffs have a concrete injury.

Facebook Consumer Privacy User Profile Litigation: the District Court denied a motion to dismiss, finding plaintiffs adequately alleged “a simple ‘privacy injury’” arising from the mere disclosure of certain information to other third parties, and that this “privacy injury” “gives rise to Article III standing” “without [any] further consequences.” Facebook has requested permission to make an immediate appeal.

The New Normal: Increased Risk

Other Factors Driving Litigation Risk • The difficulty in waiving litigation rights or forcing arbitration in some jurisdictions.

This is primarily a concern in California meaning there is a growth in the number of cases being brought in California.

• The CCPA. This law gives guaranteed statutory damages for certain breaches and an express allowance for class actions means it will be very difficult for defendants to argue that plaintiffs have no standing or no injury.

• New state laws prompt creative legal theories. The CCPA is the most recent change at the state level but other laws are pending. All such laws will provide fodder for test cases as plaintiffs will seek to probe the limits of what claims they can bring and what claims they cannot. For example, whether violations of the CCPA can be predicate violations of 17200 or whether violations of the “data sale” portion of the CCPA can be considered a data breach under the CCPA are undecided questions.

New Challenges in Data Breach Litigation: Practical Perspectives Dan Gerken

• Associate General Counsel, Americas

• October 15, 2019

An introduction to Vertiv Architects of ContinuityTM

Data Centers Communications Networks Commercial and Industrial Facilities

© 2019 Vertiv All Rights Reserved

15

Nearly all aspects of our lives involve the use of technology. Technology drives the world’s demand for data.

© 2019 Vertiv All Rights Reserved

16

Vertiv brings together hardware, software, and ongoing services to ensure our customers’ vital applications run continuously and perform optimally.

AC Power, DC Power, Energy Storage, Industrial Solutions, Thermal

Edge Systems, IT Systems, Rack, Rack PDU, Rack Thermal, Rack UPS

Large Infrastructure IT and Edge Infrastructure

Solutions

Services and Software

© 2019 Vertiv All Rights Reserved

•

• Small, medium and large uninterruptible power systems (UPS)

• Industrial-grade UPS • AC power distribution

systems

• 12V to 400V DC power systems

• Custom DC UPS systems along with DC battery chargers and distribution

• Small thermal systems including room and row/ rack cooling

• Air handling and chiller: large systems located outside the data room that provide climate control

• IT and infrastructure management solutions

• Rack PDUs • Integrated solutions

• Diverse array of services to handle ongoing customer equipment and product needs

• Maintenance, project and training services

• Tailored customer offerings

Description

Select offerings

Brands

Integrated Solutions

Liebert iCOM

Liebert CRV

Liebert DSE Package System

NetSure 5000

NetSure 7000

NetSure 8000

Liebert EXM

Liebert EXL S1

Liebert FPC

Preventive Maintenance

Performance Optimization

Project Services

Remote Services

Software & Monitoring

Liebert DS

KVM & Serial Console

Racks

POWER MANAGEMENT THERMAL MANAGEMENT IT AND EDGE

INFRASTRUCUTRE AND SOLUTIONS

SERVICES

17

Our portfolio

© 2019 Vertiv All Rights Reserved

Vertiv Data Center Application

Air handlers & chillers

Thermal management

UPS systems

Condensers Power distribution

Integrated solutions

Racks & containment

Monitoring control & management

Project services

Customer base We serve +70% of Fortune 500 companies

19

Operating capabilities We have 20+ GW of installed cooling capacity and 14+ GW of installed UPS power. Creating a $15B installed base

Customer satisfaction We have a Net Promoter Score of 40

Data We make decisions based on data collected from 1,000,000+ pieces of equipment

Support We employ ~2,700 service technicians which is 4x that of closest competitor

Performance We have 85% service renewal rates and 55% warranty capture rate in power*

Sites We keep 600,000+ customer sites connected

First-time fix We have ~90% first-time fix rate in site emergency visits. Returning critical load within 24 hours

Remote monitor We remotely monitor 12,000+ customers

Training We deliver 200,000 hours of technical training each year

* For medium and large UPS

500 FORTUNE

Other noteworthy Vertiv Stats

Customer base We serve +70% of Fortune 500 companies

20

Operating capabilities We have 20+ GW of installed cooling capacity and 14+ GW of installed UPS power. Creating a $15B installed base

Customer satisfaction We have a Net Promoter Score of 40

Data We make decisions based on data collected from 1,000,000+ pieces of equipment

Support We employ ~2,700 service technicians which is 4x that of closest competitor

Performance We have 85% service renewal rates and 55% warranty capture rate in power*

Sites We keep 600,000+ customer sites connected

First-time fix We have ~90% first-time fix rate in site emergency visits. Returning critical load within 24 hours

Remote monitor We remotely monitor 12,000+ customers

Training We deliver 200,000 hours of technical training each year

* For medium and large UPS

500 FORTUNE

Other noteworthy Vertiv Stats

Vertiv Timeline Combining the entrepreneurial spirit of a startup with the resources and reach of an established leader.

1965

Liebert Corporation was formed as industry’s first manufacturer of

precision computer room air conditioning (CRAC)

1987

Emerson acquires Liebert®

Corporation – now a pioneer in thermal management, power

protection for IT systems

2000

Emerson forms Network Power (ENP) business – integrates critical

infrastructure technologies under single brand

2001

ENP increases presence in Asia – purchase of Avansys and forms ENP India

ENP acquires Marconi outside plant and power system – expanding telecom

industry solutions

2006

ENP acquires Germany-based Knürr AG – leading provider of enclosure

systems

2009

ENP acquires Avocent – provider of service processor and data center management software and KVM

solutions

ENP acquires Chloride® – customized power solutions for industrial

applications

2016

Vertiv launches as stand-alone business building on the success of Emerson’s past while expanding capabilities and

commitment to support the mission of designing, building and servicing mission-critical technologies that drive possibility for our customers

Vertiv makes its first three acquisitions, Energy Labs, a U.S.-based manufacturer of custom air

handling systems, Geist, a leading manufacturer of rack power distribution units, and the service contracts of MEMS, a UK power generation

maintenance business

2018

2004

2010

Our numbers

Sales 4.3 B

Employees ~19,700

Customers Include Alibaba, Alstom, America Movil, AT&T, China Mobile, Equinix, Ericsson, Reliance, Siemens, Telefonica, Tencent, Verizon, Vodafone

Manufacturing Sites: 19 Customer Centers/Labs: 17 Operations: 51 Countries

Communications

© 2019 Vertiv All Rights Reserved

Critical Infrastructure and Solutions IT and Edge Infrastructure Services and Software Solutions

Offering Broad range of power, thermal, and IT and edge infrastructure, solutions and services portfolio

Geography Global, well-established footprint, and supply-chain network

Americas

EMEA

AP

End Market Customers who operate in some of the world’s most critical industries

Data Centers

Commercial & Industrial

Our presence Worldwide Manuf. And Assembly Locations 19 Service Centers 270+ Service Field Engineers 2700+ Technical Support/Response 330+ Customer Experience Center/Labs 17

US and Canada Manuf. And Assembly Locations 7 Service Centers 120+ Service Field Engineers 850+ Technical Support/Response 120+ Customer Experience Center/Labs 4

Latin America Manuf. And Assembly Locations 1 Service Centers 20+ Service Field Engineers 300+ Technical Support/Response 25+ Customer Experience Center/Labs 2

Europe, Middle East, and Africa Manuf. And Assembly Locations 5 Service Centers 70+ Service Field Engineers 600+ Technical Support/Response 95+ Customer Experience Center/Labs 6

Asia Pacific Manuf. And Assembly Locations 6 Service Centers 60+ Service Field Engineers 950+ Technical Support/Response 90+ Customer Experience Center/Labs 5

Meeting our customers’ demand for data – wherever they are.

© 2019 Vertiv All Rights Reserved

Data Privacy – Practical Perspectives

24

Agreements (1 of 2) 1. What does my client WANT TO DO with this agreement?

• Sell products? Sell services? Buy products? Buy services?

• If so, what products, or what services, and why? 2. What does THIS THING DO?

• How does it do it? Who made it? • Who maintains / updates it? How? How often?

3. What protections DO WE WANT? • What is CRITICAL TO OUR BUSINESS?

• Not to “business model” generally, and not scapegoating the general business approach • How do we preserve that?

• Hardware; software; users • SCOPE OF DATA collected

• What protections to we HAVE TO PASS DOWN from our customers / clients? • We need the same, or better, language compared to that prior agreement

Data Privacy – Practical Perspectives

25

Agreements (2 of 2) 4. What are the RISKS?

• Regarding this product offering? With this provision? • Ask engineers • Consider a conversation, without deadline pressure, between outside counsel, inside counsel,

and product offering engineers • What unintended consequences are there? Be creative and imagine the worst case

scenario

Data Privacy – Practical Perspectives

26

Litigation 1. You know your position – but what are THE FACTS?

• Engage an independent expert – perhaps quickly • Share discovery with her.

• Discovery – with engineers! • Craft interrogatories with their input • Ask them to read depo transcripts • Ask them to review your depo outlines

2. Cut to the chase – plan for your cleanest DISPOSITIVE MOTION • If there is any hope of MTD, MSJ, MPSJ, write it now and plan discovery around it

• Be strategic about what motion, on what claims, and when to file • Coordinate discovery accordingly

• Ask a junior associate to write the motion with today’s facts • Read the blank “facts” section – what do you need? • Unleash discovery on the cold spots in your “facts” section

Adapting Your IT Environment to

the New Normal

Security Challenges of the New Normal

Heightened risk of liability increases pressure to: • Protect Personal Data

• Defend against unauthorized access • Inhibit misuse through information governance and

strong privacy practices

• Adopt “reasonable security” measures

Defending Your Personal Data

Access Controls

and Defenses

• MFA • Firewalls • Malware and Threat

Detection • Network and

System Hardening

InfoGov and

Privacy Program Mgmt.

• Encryption • Data Minimization • Segmentation • Data Disposal • Obfuscation,

Pseudonymization

Reducing Risk Through InfoGov.

Name

Address

Email

SSN

Tx History

In re Zappos.com, Inc. “[T]he type of information accessed in the Zappos breach can be used to commit identity theft, including by placing them at higher risk of ‘phishing’ and ‘pharming.’”

Name

InfoGov and the Data Lifecycle

Collect

Store

Use Share

Archive

Destroy Minimization

Encryption, Segregation

Access Management, Privacy by Design

Minimization, Pseudonymization

Encryption, Retention Schedule

Retention Schedule Destruction

Reasonable Security

• Business operations using sensitive data

• IT systems • Security threats • Impact of security events • Harm to company • Harm to data subjects

• Policies, procedures, and mechanisms to address identified risks

• Operational, technical and physical

• Documentation of controls in place and how they address identified risks

• Analysis of why certain controls are not needed, and how company is mitigating related risk

Risk Assessment Responsive Controls

Program Documentation

Reasonable Security

• But is it “reasonable”?

CCPA, § 1798.150(a)(1): Any consumer whose nonencrypted or nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action ….

Reasonable Security

Generally accepted frameworks provide a strong baseline. For example: • NIST 800-53 • Secure Controls Framework (SCF) • ISO 27001, 27002 • Center for Internet Security (CIS) Controls • NIST Cybersecurity Framework • Security is not “check-the-box,” but…

To regulators, you should be able to explain why you aren’t checking certain boxes

October 15, 2019

New Challenges In Preparing For And Defending Against Breach Litigation

Jon Knight

Boies Schiller Flexner LLP

Dan Gerken

VERTIV

Mike Borgia

Aon’s Cyber Solutions (formerly Stroz Friedberg)